<b>aaron:</b> Hey you, kekoosh! (Gitter): Heh, I don’t even use Twitter.

Wise. Twitter is in Russian reversal mode now, it uses its users

Add .cc/ to your tweet if you wanna tweet something more than 250 chars (or whatever the limit is)

aaron: Now? Don’t all services use their users to one extent or another?

True, but VMs are more for having multiple OSes running at once than security, so it's important to remember they can be compromised and even damage the host

are jails (or gnu/linux containers) any better?

i thought the opposite.

are jails (or gnu/linux containers) any better?

Jails are definitely better, Linux however, doesn't have containers.

<b>aaron:</b> VMs are better at isolation than jails (FreeBSD) or containers (Linux).

<b>aaron:</b> Just a side-effect of their design.

<b>aaron:</b> That doesn’t mean there’s not exploits to escape or divine host/neighbor activity in each system.

Neither should be relied on for security. They're wonderful tools for organization and division of resources. But not for security.

<b>aaron:</b> VMs are a pretty good tool for easy access to security features. I don’t know anyone else exposing stuff like VM-d to userspace.

So the solution is to have a separate machine and seperate network for unsafe activity?

<b>aaron:</b> ^ Ideally, yes. We don’t live in an ideal world though, so isolate, contain, and monitor.

So the solution is to have a separate machine and seperate network for unsafe activity?

Yup. Completely isolated.

So the solution is to have a separate machine and seperate network for unsafe activity?

Especially for Windows, printers, and anything running systemd

<b>Hey you, kekoosh! (Gitter):</b> that heavily depends on what you describe as unsafe activity. physical separation can be a fatal flaw if swat goes in and you didn't have time to pull out yubi-key, or if your spouse/parent/partner buys usb keylogger, etc.etc. etc. 99% cases your vm setup with some encryption is more than enough

Jails are definitely better, Linux however, doesn't have containers.

isnt docker the jails-system of gnu/linux? i dont know much on the subject, thats just what ive read online

<b>aaron:</b> That doesn’t mean there’s not exploits to escape or divine host/neighbor activity in each system.

I know.

isnt docker the jails-system of gnu/linux? i dont know much on the subject, thats just what ive read online

Kind of, but not exactly. Docker and other Linux "containers" have a very different approach than Jails. Brian Cantrill has a great rant about it in the Cantrillogy

<b>aaron:</b> Hey you, kekoosh! (Gitter): If your security relies on a physical key constantly in your system, you should build around that.

<b>aaron:</b> Hey you, kekoosh! (Gitter): And I don’t mean skip the isolation part.

<b>Hey you, kekoosh! (Gitter):</b> I mean, if you want protection, you either go full batshit crazy mode if you have time & skills, or think about what are you protecting from: over-protection in unskilled hands is far worse than simple protection you understand fully. more week points etc

<b>Hey you, kekoosh! (Gitter):</b> like don't roll your own crypto

<b>aaron:</b> Hey you, kekoosh! (Gitter): The Point of ubikeys is to plug in at time of auth. They’re not designed as a permanent fixture.

aaron: (And they’re always supposed to be paired with a password (2FA), so even failing and leaving one in should not disrupt your security model.)

<b>Hey you, kekoosh! (Gitter):</b> yeah, I know, it was a figure of speech, that story about some guy from tor-market who didn't have time to lock the computer

Hey you, kekoosh! (Gitter): I should google that story

<b>aaron:</b> That was a single computer. There was no isolation there. He got tackled (literally) in the library.

Neither should be relied on for security. They're wonderful tools for organization and division of resources. But not for security.

do you believe that VMs and jails are placebo regarding security?

Hey you, kekoosh! (Gitter): books are evil

do you believe that VMs and jails are placebo regarding security?

I believe they're being misunderstood, like ASLR.

Neither should be relied on for security. They're wonderful tools for organization and division of resources. But not for security.

What do you recommend for security

I have rpi lying around

<b>aaron:</b> Complete hardware isolation per application.

USB ----rpi--scanning----unifected usb--computer

For security, I recommend thermite. Although that's proven to not be 100% successful, either.

Is it good enough set up

Browsing on rpi may be slower

For security, I recommend thermite. Although that's proven to not be 100% successful, either.

Needs to be paired with ricin, I'd imagine

So in that Case I 'll go for browser add-ons

Which are other resources for infection except browsing and USB

May be wireless connections

For security, I recommend thermite. Although that's proven to not be 100% successful, either.

disconnecting from the internet works pretty well. or unplugging the power entirely. how about a sane approach without hardware isolation, though?

It's impractical to disconnect internet

What's thermite and ricin

What's thermite and ricin

Great deadman's switch

aaron: Jan Naj (Telegram): duckduckgo.com

disconnecting from the internet works pretty well. or unplugging the power entirely. how about a sane approach without hardware isolation, though?

Patch early, patch often. Be smart. Use operating systems that put exploit mitigations first. Define what your threat and attack vectors and provide reasonable assurances around them.

<b>aaron:</b> Shawn Webb (Telegram): Pretty bad success rate on metal HDDs though. I think it secures SSDs good enough though.

lul

I like your photo

seems to be a pixel art for openbsd ??

Cool

I like your photo

I love pixel arts xD It's from this game stardew valley

nice, i'm a pixel art fan too xD

my shit logo is a shit reference for netbsd

Me too

Almost break my head trying to find why pyenv doesn't see what python on 11.

This is by design, symlink helped

*what python->system python

nice, i'm a pixel art fan too xD

Me too.

VVelox: https://metacpan.org/release/VVELOX/Proc-ProcessTable-Colorizer-0.0.0 Wooho!

Jaypatelani: Is it better to change kernel name of host os to reduce attack vector? Compiling os with different name? Or just user-agent OS name change is better?

https://qz.com/1120344/200-universities-just-launched-600-free-online-courses-heres-the-full-list/

#BSDSec LibreSSL 2.6.3 Released... #OpenBSD https://t.co/szJU4fe81Z— BSDSec.net (@BSDSec) November 6, 2017 November 06, 2017 at 03:41PM via Twitter https://twitter.com/BSDSec